diff --git a/internal/cache/ghssh/github.go b/internal/cache/ghssh/github.go
index 0dd9145b..4cd6495e 100644
--- a/internal/cache/ghssh/github.go
+++ b/internal/cache/ghssh/github.go
@@ -3,6 +3,7 @@ package ghssh
 import (
 	"bufio"
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net/http"
 	"strings"
@@ -11,6 +12,17 @@ import (
 	"github.com/gopasspw/gopass/pkg/debug"
 )
 
+var (
+	httpClient = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				// enforce TLS 1.3
+				MinVersion: tls.VersionTLS13,
+			},
+		},
+	}
+)
+
 // ListKeys returns the public keys for a github user. It will
 // cache results up the a configurable amount of time (default: 6h).
 func (c *Cache) ListKeys(ctx context.Context, user string) ([]string, error) {
@@ -44,7 +56,7 @@ func (c *Cache) fetchKeys(ctx context.Context, user string) ([]string, error) {
 	if err != nil {
 		return nil, err
 	}
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := httpClient.Do(req)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/updater/download.go b/internal/updater/download.go
index 3282a6ed..bf4b9509 100644
--- a/internal/updater/download.go
+++ b/internal/updater/download.go
@@ -3,6 +3,7 @@ package updater
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"fmt"
 	"io"
 	"net/http"
@@ -15,8 +16,18 @@ import (
 	"golang.org/x/net/context/ctxhttp"
 )
 
-// DownloadTimeout is the overall timeout for the download, including all retries.
-var DownloadTimeout = time.Minute * 5
+var (
+	// DownloadTimeout is the overall timeout for the download, including all retries.
+	DownloadTimeout = time.Minute * 5
+	httpClient      = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				// enforce TLS 1.3
+				MinVersion: tls.VersionTLS13,
+			},
+		},
+	}
+)
 
 func tryDownload(ctx context.Context, url string) ([]byte, error) {
 	ctx, cancel := context.WithTimeout(ctx, DownloadTimeout)
@@ -51,7 +62,7 @@ func download(ctx context.Context, url string) ([]byte, error) {
 	req.Header.Set("Accept", "application/octet-stream")
 
 	t0 := time.Now()
-	resp, err := ctxhttp.Do(ctx, http.DefaultClient, req)
+	resp, err := ctxhttp.Do(ctx, httpClient, req)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/updater/github.go b/internal/updater/github.go
index b967c8e8..a138ea4c 100644
--- a/internal/updater/github.go
+++ b/internal/updater/github.go
@@ -83,7 +83,7 @@ func FetchLatestRelease(ctx context.Context) (Release, error) {
 	// pin to API version 3 to avoid breaking our structs
 	req.Header.Set("Accept", "application/vnd.github.v3+json")
 
-	resp, err := ctxhttp.Do(ctx, http.DefaultClient, req)
+	resp, err := ctxhttp.Do(ctx, httpClient, req)
 	if err != nil {
 		return Release{}, err
 	}